AI News, Hearings

Testimony of Paul Benda before the House Financial Services Committee’s Task Force on Artificial Intelligence

The rise of a ubiquitous internet connection allows users to download data on demand, access advanced applications and have the computing power needed to run these applications from a mobile phone –

Finally, as cloud capabilities advance, cloud service providers (CSPs) have egun to offer advanced analytic and artificial intelligence tools to their customers to allow them to better understand their data in ways they could never achieve in a cost-efficient manner on their own.

There are a variety of reasons for this more measured approach, including the fact that in the early days of the development of the cloud there was a lack of confidence by many in the financial industry that CSPs could effectively support the rigorous regulatory requirements and oversight that financialinstitutions and their vendors must operate within.

These standards require financial institutions to take meaningful steps that are designed to ensure the security and confidentiality of customer information, protect against anticipated threats to such information, and protect against unauthorized access to, or use of, this information that could result in substantial harm or inconvenience to any customer.

These standards also require that financial institutions have in place incident response programs to address security incidents involving unauthorized access to customer information, including notifying customers of possible breaches when appropriate.

Unlike other sectors, where violations of statutory and regulatory restrictions must occur before regulatory oversight is likely to occur, financial institutions are subject to strict regulatory oversight and regular exams regarding their compliance with privacy and data protection laws.

The Handbook not only provides meaningful guidance to financial institutions regarding the regulatory expectations for, among other things, information security, outsourced technology services and business continuity, but also is used bythe regulators to examine banks and assess their compliance.

The guidance identifies critical areas that financial institutions must consider and assess when using the cloud, including due diligence, vendor management, audit, information security, legal, regulatory and reputational considerations and business continuity planning.

Of particular note, the cloud guidance stresses that “[a] financial institution’s use of third parties to achieve its strategic plan does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations.”

While typical cloud implementations follow a shared responsibility model for data security in which the CSPs have certain responsibilities related to the security of, for example, the physical infrastructure of the relevant cloud, the utilization, deployment, security and administration of such resources made available by the CSP, however, are ultimately the responsibility of the financial institution using the cloud.

The economies of scale, cost reductions, flexibility, scalability, improved load balancing and access to advanced technologies all provide a meaningful business case for financial institutions to consider moving at least some aspects of their operations to the cloud, even if only on a small or limited scale.

Additionally, large CSPs have data centers spread over wide geographic regions with resilient data architectures and redundancies in place to provide a high degree of operational resilience that is nearly impossible to match except for the largest financial institutions.

Although there are compelling business and operational resilience reasons for financial institutions to consider the use of the cloud, it is critical that financial institutions first put in place strong and effective risk mitigation strategies to address the risks that are unique to the cloud.

The robust regulatory regime in place for financial institutions provides a strong framework for financial institutions to make a balanced risk assessment on whether migrating applications to the cloud makes sense for their computing environment and business model.

Larger financial institutions may have a better ability to bargain for contracts and products to meet their regulatory challenges, but it can be especially difficult for smaller financial institutions, that simply do not have enough market share, to work effectively with large CSPs to make changes to, for example, standardized contracts or product offerings.

In many ways, this situation is similar to the issue small institutions face when dealing with the large core banking system providers who provide them the back-end systems that process their daily banking transactions.

These types of services have the potential of providing significant help, especially to smaller institutions, to access the data necessary to satisfy theregulatory oversight requirements of critical third party providers and other CSPs should be encouraged to participate in these types of programs.

In addition, default security settings should be restrictive versus open and coordination among CSPs in the development of a unified security controls baseline for financial institutions would help ensure appropriate controls are used at the start of any deployment.

Along with improved collaboration on security and notification procedures, we believe there is potential for financial institutions, CSPs and regulators to collaborate on a best practices model to provide standardized terms and conditions that provide financial institutions access to required audit and control data.

While many CSPs currently publish attestations to the audits their services have undergone, for financial institutions increased transparency into the business continuity, security incident and breach response, and testing programs would help them comply with their regulatory requirements.

A potentially more efficient approach would be to establish some standardized parameters that financial institutions, CSPs and regulators could follow to ensure the appropriate contractual terms are in place for financial institutions to perform their due diligence and provide an expedited review process for regulators.

Careful consideration, however, should be taken to ensure that any proposed path forward not impinge upon the ability of CSPs to innovate and offer new tools, nor single out financial services deployments and potentially increase costs or limit access to new or advanced capabilities.

As the AI Task Force continues its exploration of these issues, we hope that you will consider the four points we have addressed in this testimony: financial institutions are required to ensure the security and confidentiality of their customer’s information, regardless of whether that information is stored on a financial institution system or in a third party cloud;

06/26/2019 - Perspectives on Artificial Intelligence: Where We Are and the Next... (EventID=109735)

Wednesday, June 26, 2019 (10:00 AM) -- Task Force on Artificial Intelligence Hearing: "Perspectives on Artificial Intelligence: Where We Are and the Next ...

20181211 Department of Defense’s Artificial Intelligence Structure, Investments, and Applications

Subcommittee on Emerging Threats and Capabilities Witnesses: Dr. Lisa Porter Deputy Undersecretary of Defense For Research and Engineering Department ...

09/12/2019 - The Future of Identity in Financial Services: Threats, Challenges,... (EventID=109912)

Thursday, September 12, 2019 (09:30 AM) -- The Task Force on Artificial Intelligence Hearing: The Future of Identity in Financial Services: Threats, Challenges, ...

110817 - “Financial Intelligence and Enforcement: Treasury’s Role..." (EventID=106620)

Wednesday, November 8, 2017 (2:00 PM) - Subcommittee on Terrorism and Illicit Finance (Committee on Financial Services) Hearing: “Financial Intelligence ...

Social Media Companies' Efforts to Counter Online Terror Content & Misinformation (EventID=109710)

Full Committee Markup of FY19 Defense and Financial Services Appropriations Bills (EventID=108421)

The House Appropriations Committee markup of the FY19 Defense and Financial Services Appropriations Bills on June 14, 2018. Chairman Frelinghuysen ...

Rep. French Hill's Questions at Facebook Cryptocurrency Hearing

Congressman French Hill (AR-02), Ranking Member of the House Financial Services Financial Technology (FinTech) Task force and House Financial Services ...

06/25/2019 - Diverse Asset Managers: Challenges, Solutions and Opportunities for... (EventID=109724)

Tuesday, June 20, 2019 (2:00 PM) -- Subcommittee on Diversity and Inclusion Hearing: "Diverse Asset Managers: Challenges, Solutions and Opportunities for ...

A Roadmap for Finding your Next Billion with Machine Learning with ZestFinance & Discover CEOs

The CEO of Discover Financial Services, Roger Hochschild, and the CEO of ZestFinance, Douglas Merrill, talk about bank-fintech partnerships and how ...

US Congress Artificial Intelligence Hearing - Hearing II

Recorded: March 7th, 2018 Witnesses: Mr. John O. Everett, Ph.D. -Deputy Director, Information Innovation Office, DARPA Mr. Keith Nakasone - Deputy Assistant ...